/etc/sysconfig/ldap

Set it to use the Kerberos key table created above, /etc/openldap/ldap.keytab.

SLAPD_LDAPS=yes
...
export KRB5_KTNAME=/etc/openldap/ldap.keytab

SSL Certificate

The LDAP server will require an SSL certificate. It could be purchased, but this isn’t necessary. The certificate authority can be easily distributed to the clients during configuration. The openssl package provides the necessary scripts to create the required certificates.

The certificate guide shows how to create a Certificate Authority (CA) certificate and also CA signed Server Certificates.

NOTE: If the LDAP Server has one or more aliases, then the certificate
must contain all of the aliases. For example, if the LDAP Server can
be looked up in the DNS under host1.domain, ldap.domain,
ldap.someotherdomain. The openssl.conf file should be configured by adding the followinging line in the usr_cert section:

subjectAltName=DNS:ldap.domain,DNS:ldap.otherdomain

The CA certificate and the server certificate should be copied into the /etc/openldap directory.

/etc/openldap/slapd.conf

Add references to the SSL certificates

Add idle timeout

idletimeout 3600

Failure to add this idle timeout will result in LDAP failing after a period of time. The number of TCP connections is limited internally. If connections are not released, the LDAP daemon (slapd) is unable to open files. This causees slapd to return an error to all queries. If this value is too high (or disabled), then slapd will run out of file handles. If this value is set too low, the system log will fill with messages about reconnecting to the LDAP server. The '3600' used here is somewhat arbitrary and may need to change depending on LDAP service demands.

configure suffix and rootdn to match system domain

suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"

Add temporary Manager account

This is need for the initial load. A simple method is to add an encrypted password using slappasswd. Run slappasswd to create the file entry. NOTE: if you are using the MLS policy, you will have to run slappasswd via run_init.

Access Control

This is a bit of a hack to restrict the SASL mechanisms that the
server advertises to just GSSAPI. Otherwise it also advertises
DIGEST-MD5, which the clients prefer. Then you have to add "-Y
GSSAPI" to all of your ldapsearch/ldapmodify/etc. command lines, which
is annoying. The default for this is noanonymous,noplain so the
addition of noactive is what makes DIGEST-MD5 and the others go away.

sasl-secprops noanonymous,noplain,noactive

Map SASL authentication properly:

# Map SASL authentication DNs to LDAP DNs
# This leaves "username/admin" principals untouched
sasl-regexp "uid=([^/]*),cn=GSSAPI,cn=auth" "uid=$1,ou=people,dc=example,dc=com"
# This should be a ^ plus, not a star, but slapd won't accept it

Access Control:

Add global access control restrictions.

These must go before any database line in the file, or else the settings will not be global!

# Users can change their shell, anyone else can see it
access to attrs=loginShell
by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
by self write
by * read
# Only the user can see their employeeNumber
access to attrs=employeeNumber
by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
by self read
by * none
# Default read access for everything else
access to *
by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
by * read

Here are a number of additional security options:

In order to make slapd require integrity-encryption (i.e. SSL connection):

The number value is roughly equivalent to the bit length of the encryption key that is required.

security ssf=1 update_ssf=112 simple_bind=64

Edit /etc/openldap/ldap.conf

This file needs to reside on each host that accesses the LDAP server including the LDAP server(s) themselves.

Edit /etc/ldap.conf

Note Editing this file is done in order to copy the file to
the client during the client configuration. The file isn't
necessary for the server unless it is running as a client and using
the ldap user information, which is not suggested. The server using
the ldap user information hasn't been tested here and would require
some careful configuration.

Add Initial Entries to LDAP Directory

To avoid an annoying warning message, create a DB_CONFIG for ldap:

[root@sefos ~]# touch /var/lib/ldap/DB_CONFIG

Next the root of the directory service needs to be added. This is
the Distinguished Name for the Realm that the user and group data
resides under within the LDAP directory. The LDAP directory is
stored conceptually as a hierarchical tree structure with the user
and group information for a realm stored underneath the realm name.
The realm name needs to be added to the LDAP directory to provide
the base name for the user and group data. To enter this root name
create the following LDAP Data Interchange Format (LDIF) file.
Create a file /tmp/ldap-init.ldif:

Troubleshooting

If you get " Insufficient access (50); additional info: no write access to parent", then make sure the access control rules added to slapd.conf are global (i.e. they occur before any database statements).

If you get "ldap_sasl_interactive_bind_s: Local error (-2)", Then you don't have any kerberos credentials, or they have expired. Simply run kinit -p root/admin and you should get some proper credentials after supplying the admin password.

LDAP Client

F9 LDAP Client Packages

# yum install openldap openldap-devel openldap-clients nss_ldap

The LDAP client is also a Kerberos client and is required to be configured as such.

LDAP Client Configuration

Copy the following files from the LDAP server.

/etc/ldap.conf

/etc/openldap/ldap.conf

/etc/openldap/cacerts/cacert.pem

Make sure the certificate is world readable

chmod 644 /etc/openldap/cacerts/cacert.pem

Testing LDAP from the Client

We should be able to query the LDAP server from the client and extract information. Here is a sample query and the expected output: